\subsection{Advanced Malware Techniques}


\subsection{Anti-Detection/Obfuscation Measures}

\begin{frame}
    \frametitle{Detection Techniques and Counter-Measures}
    \begin{block}{}
        In order to detect malicious malware samples most of the antivirus industry relies on signature matching for detecting malware
    \end{block}
    \begin{itemize}
        \item A set of techniques will aim at making the signature based matching useless against identifying malware: polymorphism, server side polymorphism, metamorphism
        \item Others just aim at making analysis difficult or painful: code obfuscation, virtual machines, entry point obfuscation
    \end{itemize}
\end{frame}



\begin{frame}
    \frametitle{Polymorphism}
    \begin{itemize}
        \item Polymorphic malware generates different binaries as it spreads
        \item Performs relatively simple instruction substitutions or scrambling
        \item Changes key/algorithm in every iteration
        \item Code keeps some similar patterns across generations
        \item Not truly problematic, live analysis is usually an effective measure. High-level behavior seldom changes
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{A View of Polymorphism}
    \begin{center}
        \pgfimage[height=7cm]{images/advanced_malware_techniques/polymorphic}
    \end{center}
\end{frame}


\begin{frame}
    \frametitle{Metamorphism}
    \begin{itemize}
        \item Metamorphic malware doesn't just scramble the code but actually generates new code
        \item Disassembles and reassembles itself, performing the same actions using different code
        \item Goes beyond simple instruction substitution
        \item Signature based detection has a tough time
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{A View of Metamorphism}
    \begin{center}
        \pgfimage[height=7cm]{images/advanced_malware_techniques/metamorphic}
    \end{center}
\end{frame}


\begin{frame}
    \frametitle{Examples of Metamorphism}
    \begin{block}<1->{}
        \pedref{PFerrie-zmist}
    \end{block}
    \begin{block}<1->{}
        \pedref{evol}
    \end{block}
    \begin{block}<1->{}
        \pedref{PEferrie-simile} (Metamorphic Permutating High-Obfuscating Reassembler)
    \end{block}
\end{frame}


\begin{frame}
    \frametitle{Entry Point Obfuscation}
    \begin{itemize}
        \item Used by file infectors
        \item Hides the entry point to the malicious code
        \item Finds some functionality of the host application that it's always executed
        \item Then it diverts the execution flow to its own code, eventually returning to the original code
        \item The Polip family is a good example
        \begin{block}{}
            \begin{center}
                Try writing a small IDAPython script to automatically find the entrypoints to the malicious code
            \end{center}
        \end{block}        
    \end{itemize}
\end{frame}


\begin{frame}
    \frametitle{Virtual Machines}
    \begin{itemize}
        \item Aims at making analysis difficult 
        \item Removes the logic of the code by implementing a virtual architecture on which the final code is developed
        \item An analyst must first unfold this machine's architecture in order to understand the higher level code
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Examples of Virtual Machine Technology}
    \begin{itemize}
        \item Themida
            \begin{block}{}
                \begin{center}
                    http://www.oreans.com/themida.php
                \end{center}
            \end{block}        
        \item VMProtect
            \begin{block}{Source Code}
                \begin{center}
                    http://www.polytech.ural.ru/ (in Russian)
                \end{center}
            \end{block}
        \item StarForce
            \begin{block}{}
                \begin{center}
                    http://www.star-force.com/
                \end{center}
            \end{block}        
        \item T2 Conference Challenge and a few other "crackmes"
    \end{itemize}
\end{frame}



\subsection{Runtime Hiding Techniques}

\begin{frame}
    \frametitle{Rootkit Technology}
    
    \begin{block}{Overview}
    Rootkits aim at making themselves and other executables undetectable to the underlying system. For malware, the main purpose of rootkit technology is to remain on the infected host as long as possible without being detected and therefore disinfected
    \end{block}
    \begin{itemize}
        \item Rootkits normally run in kernel mode
        \item Commonly they hook \emph{API} functionality and filter those events that would expose them
        \item \emph{DKOM} (\emph{Direct Kernel Object Manipulation}) is a more advanced technique by which rootkits alter executive objects in order to remove any traces of them running
    \end{itemize}
\end{frame}


\begin{frame}
    \frametitle{Hypervisor Technology}
    \begin{block}{\emph{From Wikipedia}}
        A hypervisor in computing is a scheme which allows multiple operating systems to run, unmodified, on a host computer at the same time. The term is an extension of the earlier term supervisor, which was commonly applied to operating system kernels in that era.
    \end{block}

\end{frame}

\begin{frame}
    \frametitle{Hypervisor Technology}
    
    \begin{itemize}
        \item Both \emph{Intel} and \emph{AMD} have their own hardware virtualization extensions
        \item \emph{AMD}'s is currenly codenamed \emph{Pacifica}
        \item \emph{Intel}'s is known as \emph{VT} or \emph{Vanderpool}
        \item Both technologies are already available on consumer products.
        \item \emph{Microsoft's} \emph{Virtual PC} and \emph{Virtual Server}, \emph{Parallels Workstation}, \emph{TRANGO}, \emph{VMware} and \emph{Xem} already employ the virtualization extensions if available
        \item \emph{Blue Pill} uses undocumented features in \emph{Pacifica} to take over the system
    \begin{block}{}
        \begin{center}
            http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html
        \end{center}
    \end{block}
    \end{itemize}
\end{frame}


\subsection{Counter-Measures}
\begin{frame}
    \frametitle{Poly/Meta morphism}
    \begin{itemize}
        \item Polymorphism can be fought with emulation and live analysis techniques
        \item Metamorphism and VM techniques are trickier
        \item Behavioral analysis is effective as long as the malware in question performs distinctive actions using common APIs
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Rootkits}
    \begin{itemize}
        \item To detect active rootkits one of the common approaches is to attempt to gather the same information through different channels. For instance:        
        \begin{itemize}
            \item Using the operating system's standard \emph{API}s
            \item Using low level techniques, thus bypassing the \emph{API}s
            \item Attempting to obtain handles to every possible process
        \end{itemize}
        \item Proceeding to compare the two sets of results. Disparities between them will tend to indicate that something might trying to hide
        \item Detecting hardware-virtualized malware might actually be impossible if the implementation has no bugs... ;-)
    \end{itemize}
\end{frame}